Embedded SCADA systems hum along behind the scenes, keeping buildings warm, regulating industrial processes, and sometimes, making sure the uranium's being treated with all the extreme care it's accustomed to. These three Black Hat 2014 Briefings explore what happens when SCADA systems become vulnerable, perhaps losing control of the careful balance they're designed to maintain.
Wireless is more than just Wi-Fi: smartmeters, wearable devices, the Internet of Things, the list goes on. But the developers of these new devices often lack security bona fides, leading to security and privacy issues in the new tech. Bringing Software Defined Radio to the Penetration Testing Community presents one solution: a new, easy to use wireless monitor / injector tool that can interface with a wide range of such devices, providing effective penetration testing opportunities over the radio waves.
Modern Industrial Control Systems (ICS) are deeply integrated with other parts of corporate networks. What would happen if you could connect to the line where low-level network protocols flow (such as HART, FF H1, Profibus DP, and Modbus over RS-485)? Not only could you affect industrial processes, you could attack PAS, MES, and even ERP systems. ICSCorsair: How I Will PWN Your ERP Through 4-20 mA Current Loop will introduce ICSCorsair, an open hardware tool for auditing these low-level ICS protocols. In addition to all the auditing capabilities, come to the talk to see ICSCorsair trigger XXE, DoS, XSS and other vulns via a low-level ICS line.
Finally, there's more to SCADA hacking than just getting in. Jason Larsen will explore the detail-oriented aftermath in Miniaturization, in which he'll posit that an attacker wants to embed their payload into a tiny pressure sensor with only a few kilobytes of memory. How does that work? How do you spoof its normal function to avoid roving eyes, while still delivering your attack? Larsen's got enlightening answers for these questions and many more.
Regular registration ends tomorrow on July 26! Please visit Black Hat USA 2014's registration page to get started.